mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 09:55:39 -04:00
719cc21c6f
* fix(audit): prune path traversal * fix(audit): memoize placeholder set before recursion to preserve cycle reachability The reachable-vulnerabilities getter returned a non-memoized empty Set for back-edges, causing incomplete results for nodes in dependency cycles. Memoize the result Set immediately so the same mutable placeholder is returned for back-edges and filled as recursion unwinds. * fix(audit): only memoize acyclic reachability subtrees The placeholder-before-recursion approach only made the SCC entry node's reachable set correct; non-entry cycle members were memoized with an under-approximated set, dropping valid audit paths reached through them. Cache a node's reachable vulnerabilities only when no descendant back-edges to an ancestor; recompute cycle-touching nodes per query. --------- Co-authored-by: Zoltan Kochan <z@kochan.io>